New Defects reported by Coverity Scan for freerangerouting/frr
scan-admin at coverity.com
scan-admin at coverity.com
Mon Aug 15 15:05:56 UTC 2022
Hi,
Please find the latest report on new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
102 new defect(s) introduced to freerangerouting/frr found with Coverity Scan.
24 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 102 defect(s)
** CID 1519830: (NULL_RETURNS)
/bgpd/bgp_evpn_vty.c: 4059 in no_bgp_evpn_advertise_type5()
/bgpd/bgp_evpn_vty.c: 4074 in no_bgp_evpn_advertise_type5()
________________________________________________________________________________________________________
*** CID 1519830: (NULL_RETURNS)
/bgpd/bgp_evpn_vty.c: 4059 in no_bgp_evpn_advertise_type5()
4053
4054 if (afi == AFI_IP) {
4055
4056 /* if we are not advertising ipv4 prefix as type-5
4057 * nothing to do
4058 */
>>> CID 1519830: (NULL_RETURNS)
>>> Dereferencing "bgp_vrf", which is known to be "NULL".
4059 if ((CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
4060 BGP_L2VPN_EVPN_ADV_IPV4_UNICAST)) ||
4061 (CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
4062 BGP_L2VPN_EVPN_ADV_IPV4_UNICAST_GW_IP))) {
4063 bgp_evpn_withdraw_type5_routes(bgp_vrf, afi, safi);
4064 UNSET_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
/bgpd/bgp_evpn_vty.c: 4074 in no_bgp_evpn_advertise_type5()
4068 }
4069 } else {
4070
4071 /* if we are not advertising ipv6 prefix as type-5
4072 * nothing to do
4073 */
>>> CID 1519830: (NULL_RETURNS)
>>> Dereferencing "bgp_vrf", which is known to be "NULL".
4074 if ((CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
4075 BGP_L2VPN_EVPN_ADV_IPV6_UNICAST)) ||
4076 (CHECK_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
4077 BGP_L2VPN_EVPN_ADV_IPV6_UNICAST_GW_IP))){
4078 bgp_evpn_withdraw_type5_routes(bgp_vrf, afi, safi);
4079 UNSET_FLAG(bgp_vrf->af_flags[AFI_L2VPN][SAFI_EVPN],
** CID 1519829: Integer handling issues (BAD_SHIFT)
/pathd/path_pcep_pcc.c: 151 in plspid_map_add()
________________________________________________________________________________________________________
*** CID 1519829: Integer handling issues (BAD_SHIFT)
/pathd/path_pcep_pcc.c: 151 in plspid_map_add()
145 static uint32_t nbkey_map_hash(const struct nbkey_map_data *e);
146 static int req_map_cmp(const struct req_map_data *a,
147 const struct req_map_data *b);
148 static uint32_t req_map_hash(const struct req_map_data *e);
149
150 /* Data Structure Declarations */
>>> CID 1519829: Integer handling issues (BAD_SHIFT)
>>> In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior. The shift amount, "33 - h->hh.tabshift", is 33.
151 DECLARE_HASH(plspid_map, struct plspid_map_data, mi, plspid_map_cmp,
152 plspid_map_hash);
153 DECLARE_HASH(nbkey_map, struct nbkey_map_data, mi, nbkey_map_cmp,
154 nbkey_map_hash);
155 DECLARE_HASH(req_map, struct req_map_data, mi, req_map_cmp, req_map_hash);
156
** CID 1519828: High impact quality (Y2K38_SAFETY)
/pimd/mtracebis_netlink.c: 95 in rtnl_open_byproto()
________________________________________________________________________________________________________
*** CID 1519828: High impact quality (Y2K38_SAFETY)
/pimd/mtracebis_netlink.c: 95 in rtnl_open_byproto()
89 }
90 if (rth->local.nl_family != AF_NETLINK) {
91 fprintf(stderr, "Wrong address family %d\n",
92 rth->local.nl_family);
93 return -1;
94 }
>>> CID 1519828: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "__u32".
95 rth->seq = time(NULL);
96 return 0;
97 }
98
99 int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions)
100 {
** CID 1519827: Security best practices violations (DC.WEAK_CRYPTO)
/nhrpd/nhrp_peer.c: 337 in nhrp_peer_check()
________________________________________________________________________________________________________
*** CID 1519827: Security best practices violations (DC.WEAK_CRYPTO)
/nhrpd/nhrp_peer.c: 337 in nhrp_peer_check()
331 thread_add_timer(
332 master, nhrp_peer_request_timeout, p,
333 (nifp->ipsec_fallback_profile && !p->prio) ? 15 : 30,
334 &p->t_fallback);
335 } else {
336 /* Maximum timeout is 1 second */
>>> CID 1519827: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
337 int r_time_ms = rand() % 1000;
338
339 debugf(NHRP_DEBUG_COMMON,
340 "Initiating IPsec connection request to %pSU after %d ms:",
341 &vc->remote.nbma, r_time_ms);
342 thread_add_timer_msec(master, nhrp_peer_defer_vici_request,
** CID 1519826: Integer handling issues (BAD_SHIFT)
/lib/qobj.c: 45 in qobj_nodes_add()
________________________________________________________________________________________________________
*** CID 1519826: Integer handling issues (BAD_SHIFT)
/lib/qobj.c: 45 in qobj_nodes_add()
39 return -1;
40 if (na->nid > nb->nid)
41 return 1;
42 return 0;
43 }
44
>>> CID 1519826: Integer handling issues (BAD_SHIFT)
>>> In expression "hval >> 33 - h->hh.tabshift", right shifting by more than 31 bits has undefined behavior. The shift amount, "33 - h->hh.tabshift", is 33.
45 DECLARE_HASH(qobj_nodes, struct qobj_node, nodehash,
46 qobj_cmp, qobj_hash);
47
48 static pthread_rwlock_t nodes_lock;
49 static struct qobj_nodes_head nodes = { };
50
** CID 1519825: Null pointer dereferences (NULL_RETURNS)
/ospfd/ospf_ti_lfa.c: 123 in ospf_ti_lfa_find_q_node()
________________________________________________________________________________________________________
*** CID 1519825: Null pointer dereferences (NULL_RETURNS)
/ospfd/ospf_ti_lfa.c: 123 in ospf_ti_lfa_find_q_node()
117 {
118 struct listnode *curr_node, *next_node;
119 struct vertex *p_node, *q_node, *q_space_parent = NULL, *pc_node_parent;
120 struct vertex_parent *pc_vertex_parent;
121
122 curr_node = listnode_lookup(q_space->pc_path, pc_node);
>>> CID 1519825: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "curr_node", which is known to be "NULL".
123 next_node = curr_node->next;
124 pc_node_parent = listgetdata(next_node);
125 pc_vertex_parent =
126 ospf_spf_vertex_parent_find(pc_node_parent->id, pc_node);
127
128 p_node = ospf_spf_vertex_find(pc_node->id, p_space->vertex_list);
** CID 1519824: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_ifchannel.c: 640 in ifjoin_to_noinfo()
________________________________________________________________________________________________________
*** CID 1519824: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_ifchannel.c: 640 in ifjoin_to_noinfo()
634
635 static void ifjoin_to_noinfo(struct pim_ifchannel *ch)
636 {
637 pim_ifchannel_ifjoin_switch(__func__, ch, PIM_IFJOIN_NOINFO);
638 pim_forward_stop(ch);
639
>>> CID 1519824: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "ch->upstream" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
640 if (ch->upstream)
641 PIM_UPSTREAM_FLAG_UNSET_SRC_PIM(ch->upstream->flags);
642
643 PIM_IF_FLAG_UNSET_PROTO_PIM(ch->flags);
644
645 delete_on_noinfo(ch);
** CID 1519823: Insecure data handling (TAINTED_SCALAR)
/nhrpd/nhrp_peer.c: 1097 in nhrp_packet_debug()
________________________________________________________________________________________________________
*** CID 1519823: Insecure data handling (TAINTED_SCALAR)
/nhrpd/nhrp_peer.c: 1097 in nhrp_packet_debug()
1091 if (likely(!(debug_flags & NHRP_DEBUG_COMMON)))
1092 return;
1093
1094 zbuf_init(&zhdr, zb->buf, zb->tail - zb->buf, zb->tail - zb->buf);
1095 hdr = nhrp_packet_pull(&zhdr, &src_nbma, &src_proto, &dst_proto);
1096
>>> CID 1519823: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "hdr->type" as an index into an array "packet_types".
1097 reply = packet_types[hdr->type].type == PACKET_REPLY;
1098 debugf(NHRP_DEBUG_COMMON, "%s %s(%d) %pSU -> %pSU", dir,
1099 (packet_types[hdr->type].name ? packet_types[hdr->type].name
1100 : "Unknown"),
1101 hdr->type, reply ? &dst_proto : &src_proto,
1102 reply ? &src_proto : &dst_proto);
** CID 1519822: High impact quality (Y2K38_SAFETY)
/isisd/isis_lsp.c: 1414 in lsp_generate()
________________________________________________________________________________________________________
*** CID 1519822: High impact quality (Y2K38_SAFETY)
/isisd/isis_lsp.c: 1414 in lsp_generate()
1408 "ISIS (%s): Built L%d LSP. Set triggered regenerate to non-pending.",
1409 area->area_tag, level);
1410
1411 #ifndef FABRICD
1412 /* send northbound notification */
1413 isis_notif_lsp_gen(area, newlsp->hdr.lsp_id, newlsp->hdr.seqno,
>>> CID 1519822: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newlsp->last_generated" is cast to "uint32_t".
1414 newlsp->last_generated);
1415 #endif /* ifndef FABRICD */
1416
1417 return ISIS_OK;
1418 }
1419
** CID 1519821: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_cmd.c: 5532 in show_ip_msdp_mesh_group()
________________________________________________________________________________________________________
*** CID 1519821: Null pointer dereferences (REVERSE_INULL)
/pimd/pim_cmd.c: 5532 in show_ip_msdp_mesh_group()
5526 int idx = 2;
5527 struct pim_msdp_mg *mg;
5528 struct vrf *vrf = pim_cmd_lookup_vrf(vty, argv, argc, &idx);
5529 struct pim_instance *pim = vrf->info;
5530 struct json_object *json = NULL;
5531
>>> CID 1519821: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "vrf" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
5532 if (!vrf)
5533 return CMD_WARNING;
5534
5535 /* Quick case: list is empty. */
5536 if (SLIST_EMPTY(&pim->msdp.mglist)) {
5537 if (uj)
** CID 1519820: Memory - illegal accesses (USE_AFTER_FREE)
/lib/link_state.c: 1805 in ls_msg2edge()
________________________________________________________________________________________________________
*** CID 1519820: Memory - illegal accesses (USE_AFTER_FREE)
/lib/link_state.c: 1805 in ls_msg2edge()
1799 break;
1800 default:
1801 edge = NULL;
1802 break;
1803 }
1804
>>> CID 1519820: Memory - illegal accesses (USE_AFTER_FREE)
>>> Using freed pointer "edge".
1805 return edge;
1806 }
1807
1808 struct ls_subnet *ls_msg2subnet(struct ls_ted *ted, struct ls_message *msg,
1809 bool delete)
1810 {
** CID 1519819: Memory - illegal accesses (USE_AFTER_FREE)
/pathd/path_pcep_pcc.c: 1330 in handle_pcep_lsp_initiate()
________________________________________________________________________________________________________
*** CID 1519819: Memory - illegal accesses (USE_AFTER_FREE)
/pathd/path_pcep_pcc.c: 1330 in handle_pcep_lsp_initiate()
1324 } else {
1325 /* FIXME: Monitor the amount of errors from the PCE and
1326 * possibly disconnect and blacklist */
1327 flog_warn(EC_PATH_PCEP_UNSUPPORTED_PCEP_FEATURE,
1328 "Unsupported PCEP protocol feature: %s", err);
1329 pcep_free_path(path);
>>> CID 1519819: Memory - illegal accesses (USE_AFTER_FREE)
>>> Passing freed pointer "path" as an argument to "send_pcep_error".
1330 send_pcep_error(pcc_state, PCEP_ERRT_INVALID_OPERATION,
1331 PCEP_ERRV_LSP_NOT_PCE_INITIATED, path);
1332 }
1333 }
1334
1335 void handle_pcep_comp_reply(struct ctrl_state *ctrl_state,
** CID 1519818: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_vty.c: 173 in pbr_map_match_dst_magic()
________________________________________________________________________________________________________
*** CID 1519818: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_vty.c: 173 in pbr_map_match_dst_magic()
167 "Choose the dst ip or ipv6 prefix to use\n"
168 "v4 Prefix\n"
169 "v6 Prefix\n")
170 {
171 struct pbr_map_sequence *pbrms = VTY_GET_CONTEXT(pbr_map_sequence);
172
>>> CID 1519818: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "pbrms", which is known to be "NULL".
173 if (pbrms->src && pbrms->family && prefix->family != pbrms->family) {
174 vty_out(vty, "Cannot mismatch families within match src/dst\n");
175 return CMD_WARNING_CONFIG_FAILED;
176 }
177
178 pbrms->family = prefix->family;
** CID 1519817: Code maintainability issues (UNUSED_VALUE)
/zebra/zebra_dplane.c: 3425 in dplane_nexthop_update_internal()
________________________________________________________________________________________________________
*** CID 1519817: Code maintainability issues (UNUSED_VALUE)
/zebra/zebra_dplane.c: 3425 in dplane_nexthop_update_internal()
3419 * Return: Result of the change
3420 */
3421 static enum zebra_dplane_result
3422 dplane_nexthop_update_internal(struct nhg_hash_entry *nhe, enum dplane_op_e op)
3423 {
3424 enum zebra_dplane_result result = ZEBRA_DPLANE_REQUEST_FAILURE;
>>> CID 1519817: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "22" to "ret" here, but that stored value is overwritten before it can be used.
3425 int ret = EINVAL;
3426 struct zebra_dplane_ctx *ctx = NULL;
3427
3428 /* Obtain context block */
3429 ctx = dplane_ctx_alloc();
3430 if (!ctx) {
** CID 1519816: Error handling issues (CHECKED_RETURN)
/pimd/pim_tib.c: 52 in tib_sg_oil_setup()
________________________________________________________________________________________________________
*** CID 1519816: Error handling issues (CHECKED_RETURN)
/pimd/pim_tib.c: 52 in tib_sg_oil_setup()
46 pim_addr_to_prefix(&grp, sg.grp);
47
48 up = pim_upstream_find(pim, &sg);
49 if (up) {
50 memcpy(&nexthop, &up->rpf.source_nexthop,
51 sizeof(struct pim_nexthop));
>>> CID 1519816: Error handling issues (CHECKED_RETURN)
>>> Calling "pim_ecmp_nexthop_lookup" without checking return value (as is done elsewhere 8 out of 9 times).
52 pim_ecmp_nexthop_lookup(pim, &nexthop, vif_source, &grp, 0);
53 if (nexthop.interface)
54 input_iface_vif_index = pim_if_find_vifindex_by_ifindex(
55 pim, nexthop.interface->ifindex);
56 } else
57 input_iface_vif_index =
** CID 1519815: (TAINTED_SCALAR)
/nhrpd/nhrp_peer.c: 976 in nhrp_peer_forward()
/nhrpd/nhrp_peer.c: 1003 in nhrp_peer_forward()
________________________________________________________________________________________________________
*** CID 1519815: (TAINTED_SCALAR)
/nhrpd/nhrp_peer.c: 976 in nhrp_peer_forward()
970 goto err;
971
972 switch (type) {
973 case NHRP_EXTENSION_FORWARD_TRANSIT_NHS:
974 case NHRP_EXTENSION_REVERSE_TRANSIT_NHS:
975 zbuf_put(zb, extpl.head, len);
>>> CID 1519815: (TAINTED_SCALAR)
>>> Using tainted variable "hdr->type" as an index into an array "packet_types".
976 if ((type == NHRP_EXTENSION_REVERSE_TRANSIT_NHS)
977 == (packet_types[hdr->type].type == PACKET_REPLY)) {
978 /* Check NHS list for forwarding loop */
979 while (nhrp_cie_pull(&extpl, pp->hdr,
980 &cie_nbma,
981 &cie_protocol) != NULL) {
/nhrpd/nhrp_peer.c: 1003 in nhrp_peer_forward()
997 proto = NULL;
998
999 /* If NAT extension is empty then attempt to populate
1000 * it with cached NBMA information
1001 */
1002 if (len == 0) {
>>> CID 1519815: (TAINTED_SCALAR)
>>> Using tainted variable "hdr->type" as an index into an array "packet_types".
1003 if (packet_types[hdr->type].type
1004 == PACKET_REQUEST) {
1005 debugf(NHRP_DEBUG_COMMON,
1006 "Processing NHRP_EXTENSION_NAT_ADDRESS while forwarding the request packet");
1007 proto = &pp->src_proto;
1008 } else if (packet_types[hdr->type].type
** CID 1519814: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_vty.c: 627 in pbr_map_nexthop_magic()
________________________________________________________________________________________________________
*** CID 1519814: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_vty.c: 627 in pbr_map_nexthop_magic()
621 nhop.type = NEXTHOP_TYPE_IPV6;
622 }
623 }
624 } else
625 nhop.type = NEXTHOP_TYPE_IFINDEX;
626
>>> CID 1519814: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "pbrms", which is known to be "NULL".
627 if (pbrms->nhg)
628 nh = nexthop_exists(pbrms->nhg, &nhop);
629
630 if (nh) /* Same config re-entered */
631 goto done;
632
** CID 1519813: (NULL_RETURNS)
/pbrd/pbr_vty.c: 254 in pbr_map_match_dst_port_magic()
/pbrd/pbr_vty.c: 259 in pbr_map_match_dst_port_magic()
________________________________________________________________________________________________________
*** CID 1519813: (NULL_RETURNS)
/pbrd/pbr_vty.c: 254 in pbr_map_match_dst_port_magic()
248 "Choose the destination port to use\n"
249 "The Destination Port\n")
250 {
251 struct pbr_map_sequence *pbrms = VTY_GET_CONTEXT(pbr_map_sequence);
252
253 if (!no) {
>>> CID 1519813: (NULL_RETURNS)
>>> Dereferencing "pbrms", which is known to be "NULL".
254 if (pbrms->dst_prt == port)
255 return CMD_SUCCESS;
256 else
257 pbrms->dst_prt = port;
258 } else
259 pbrms->dst_prt = 0;
/pbrd/pbr_vty.c: 259 in pbr_map_match_dst_port_magic()
253 if (!no) {
254 if (pbrms->dst_prt == port)
255 return CMD_SUCCESS;
256 else
257 pbrms->dst_prt = port;
258 } else
>>> CID 1519813: (NULL_RETURNS)
>>> Dereferencing "pbrms", which is known to be "NULL".
259 pbrms->dst_prt = 0;
260
261 pbr_map_check(pbrms, true);
262
263 return CMD_SUCCESS;
264 }
** CID 1519812: High impact quality (Y2K38_SAFETY)
/zebra/zebra_netns_id.c: 76 in initiate_nlh()
________________________________________________________________________________________________________
*** CID 1519812: High impact quality (Y2K38_SAFETY)
/zebra/zebra_netns_id.c: 76 in initiate_nlh()
70 nlh->nlmsg_len = NETLINK_ALIGN(sizeof(struct nlmsghdr));
71
72 nlh->nlmsg_type = type;
73 nlh->nlmsg_flags = NLM_F_REQUEST;
74 if (type == RTM_NEWNSID)
75 nlh->nlmsg_flags |= NLM_F_ACK;
>>> CID 1519812: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "unsigned int".
76 nlh->nlmsg_seq = *seq = time(NULL);
77 return nlh;
78 }
79
80 static int send_receive(int sock, struct nlmsghdr *nlh, unsigned int seq,
81 char *buf)
** CID 1519811: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 1519811: Null pointer dereferences (NULL_RETURNS)
/pbrd/pbr_vty.c: 725 in no_pbr_map_vrf_magic()
719 "Specify the VRF for this map\n"
720 "The VRF Name\n"
721 "Use the interface's VRF for lookup\n")
722 {
723 struct pbr_map_sequence *pbrms = VTY_GET_CONTEXT(pbr_map_sequence);
724
>>> CID 1519811: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "pbrms" when calling "pbrms_clear_set_config".
725 pbrms_clear_set_config(pbrms);
726
727 return CMD_SUCCESS;
728 }
729
730 DEFPY (pbr_policy,
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrtN2DGUU98GYhjd55wXsXtw53zRK70R0agdV-2Fb7c45-2BkxBoZjryQtr5SpUD80NNfE-3DPcuK_O0IDF7c8sUs2B6kWTeWwAJZqriD5fgsfL8PAN30oQTzJyzcj4BJO56Jz3xlAOaWMbp7ln1-2BkS-2FWxoYI2F2yvcLAmJi8CCfQW-2F3iIKGX4GQhm-2FdcopA6dpkJVGrPeQljXQzWuuJWsQEzNnB0ZZYisatAyOF0GP-2BB81snfbRJOJnd6kE-2FNvqhrLYYtA3IS3NZ53qumTlKChORzdsUlfgHNZQ-3D-3D
More information about the dev
mailing list